Let us assume thatπ : πΆ β πΆ is a monotonic function on a complete lattice β¨πΆ, β€, β¨, β§β© which admits its unique right-adjointπ : πΆ β πΆ, i.e., βπ, πe β² β πΆ, π(π) β€ πβ² β π β€ eπ(πβ²) holds. Then, Cousot [2000, Theorem 4] shows that the following equivalence holds: for allπ, πβ²β πΆ,
lfp(ππ₯. π β¨ π(π₯)) β€ πβ² β π β€ gfp(ππ¦. πβ²β§ eπ(π¦)) . (24) This property has been used in [Cousot 2000] to derive equivalent least/greatest fixpoint-based invariance proof methods for programs. In the following, we use (24) to derive an algorithm for deciding the inclusionL(A1) β L(A2), which relies on the computation of a greatest fixpoint rather than a least fixpoint. This can be achieved by exploiting the following simple observation, which defines an adjunction between concatenation and quotients of sets of words.
Lemma 8.1. For allπ, π β β(Ξ£β) and π€ β Ξ£β,π€π β π β π β π€β1π and ππ€ β π β π β ππ€β1. PRoof. By definition, for allπ’ β Ξ£β,π’ β π€β1π iff π€π’ β π. Hence, π β π€β1π β βπ’ β π, π€π’ β
π β π€π β π. Symmetrically, ππ€ β π β π β ππ€β1holds. β‘
Given a FAA = β¨π, πΏ, πΌ, πΉ, Ξ£β©, we define the function gPreA :β(Ξ£β)|π | β β(Ξ£β)|π |onπ-indexed vectors of sets of words as follows:
gPreA(β¨ππβ©πβπ) β β¨Γ
πβΞ£,πβ²βπΏ (π,π) πβ1ππβ©πβ²βπ , where, as usual,Γ
β = Ξ£β. It turns out that gPreA is the usual weakest liberal precondition which is right-adjoint of PreA.
Lemma 8.2. For all #Β»πΏ, #Β»π β β(Ξ£β)|π |, PreA( #Β»πΏ) β #Β»π β #Β»πΏ β gPreA( #Β»π ).
PRoof.
PreA(β¨ππβ©πβπ) β β¨ππβ©πβπβ [by definition of PreA]
βπ β π,Γ
πβππ β²πππβ²β ππβ [by set theory]
βπ, πβ²β π, πβ ππ β²β πππβ²β ππβ [by Lemma 8.1]
βπ, πβ²β π, πβ ππ β²β ππβ² β πβ1ππβ [by set theory]
βπβ²β π, ππβ² βΓ
πβππ β²πβ1ππβ [by definition of gPreA]
β¨ππβ©πβπ β gPreA(β¨ππβ©πβπ) . β‘
Hence, from equivalences (10) and (24), we obtain that for all FAsA1andπΏ2β β(Ξ£β):
L(A1) β πΏ2 β #Β»ππΉ1 β gfp(π #Β»πΏ . # Β»π³2πΌ1β© gPreA1( #Β»πΏ)) . (25) The following algorithm FAIncGfp decides the inclusionL(A1) β πΏ2, whenπΏ2 is regular, by implementing the greatest fixpoint computation in equivalence (25).
FAIncGfp: Greatest fixpoint algorithm forL(A1) β πΏ2
Data: FAA1=β¨π1, πΏ1, πΌ1, πΉ1, Ξ£β©; regular language πΏ2.
1 β¨ππβ©πβπ :=Kleene(β, π #Β»πΏ . # Β»π³2πΌ1β© gPreA1( #Β»πΏ),πΊ# Β»β);
2 forallπ β πΉ1do
3 ifπ β ππthen return false;
4 return true;
The intuition behind Algorithm FAIncGfp is that
L(A1) β πΏ2β βπ€ β L(A1), (π β π€β1πΏ2β π βΓ
π€ βL (A1)π€β1πΏ2) .
Therefore, FAIncGfp computes the setΓ{π€β1πΏ2| π€ β L(A1)} by using the automaton A1and by considering prefixes ofL(A1) of increasing lengths. This means that after π iterations of Kleene, the algorithm FAIncGfp has computed
Γ{π€β1πΏ2 | π€π’ β L(A1), |π€ | β€ π, π0β πΌ1, π0 π€
{ π}
for every stateπ β π1. The regularity of πΏ2 and the property of regular languages of being closed under intersections and quotients entail that each Kleene iterate of Kleene(β, π #Β»πΏ . # Β»π³2πΌ1β© gPreA1( #Β»πΏ),πΊ# Β»β) is a (computable) regular language. To the best of our knowledge, this gfp-based language inclusion algorithm FAIncGfp has never been described in the literature before.
Next, we discharge the fundamental assumption guaranteeing the correctness of this algorithm FAIncGfp: the Kleene iterates computed by FAIncGfp are finitely many. To achieve this, we con-sider an abstract version of the greatest fixpoint computation exploiting a closure operator which ensures that the abstract Kleene iterates are finitely many. This closure operatorπβ€A2 will be de-fined by using an ordering relationβ€A2 induced by a FAA2such thatπΏ2 = L(A2) and will be shown to be forward complete for the functionπ #Β»πΏ . # Β»π³2πΌ1β© gPreA1( #Β»πΏ) used by FAIncGfp.
Forward completeness of abstract interpretations [Giacobazzi and Quintarelli 2001], also called exactness [MinΓ© 2017, Definition 2.15], is different from and orthogonal to backward completeness introduced in Section 3 and crucially used throughout Sections 4β7. In particular, a remarkable con-sequence of exploiting a forward complete abstraction is that the Kleene iterates of the concrete and abstract greatest fixpoint computations coincide. The intuition here is that this forward com-plete closureπβ€A2 allows us to establish that all the Kleene iterates ofπ #Β»πΏ . # Β»π³2πΌ1β© gPreA1( #Β»πΏ) belong to the image of the closureπβ€A2, more precisely that every Kleene iterate is a language which is upward closed forβ€A2. Interestingly, a similar phenomenon occurs in well-structured transition systems [Abdulla et al. 1996; Finkel and Schnoebelen 2001].
Let us now describe in detail this abstraction. A closureπ β uco(πΆ) on a concrete domain πΆ is forward complete for a monotonic functionπ : πΆ β πΆ if ππ π = π π holds. The intuition here is that forward completeness means that no loss of precision is accumulated when the output of a computation ofπ π is approximated by π, or, equivalently, the concrete function π maps abstract elements ofπ into abstract elements of π. Dually to the case of backward completeness, forward completeness implies that gfp(π ) = gfp(π π) = gfp(ππ π) holds, when these greatest fixpoints ex-ist (this is the case, e.g., whenπΆ is a complete lattice). When the function π : πΆ β πΆ admits the right-adjoint eπ : πΆ β πΆ, i.e., π (π) β€ πβ²β π β€ eπ (πβ²) holds, it turns out that forward and backward completeness are related by the following duality [Giacobazzi and Quintarelli 2001, Corollary 1]:
π is backward complete for π iff π is forward complete for eπ . (26) Thus, by (26), in the following result instead of assuming the hypotheses implying that a closureπ is forward complete for the right-adjoint gPreA1, we state some hypotheses which guarantee that π is backward complete for its left-adjoint, that, by Lemma 8.2, is PreA1.
TheoRem 8.3. LetA1=β¨π1, πΏ1, πΌ1, πΉ1, Ξ£β© be a FA , πΏ2be a regular language andπ β uco(β(Ξ£β)).
Let us assume that:
(1) π(πΏ2) = πΏ2;
(2) π is backward complete for ππ . ππ for all π β Ξ£.
Then, L(A1) β πΏ2 iff #Β»ππΉ1 β gfp(π #Β»πΏ .π( # Β»π³2πΌ1 β© gPreA1(π( #Β»πΏ)))). Moreover, the Kleene iterates of π #Β»πΏ . π( # Β»π³2πΌ1β© gPreA1(π( #Β»πΏ))) and π #Β»πΏ . # Β»π³2πΌ1β© gPreA1( #Β»πΏ) from the initial valueπΊ# Β»βcoincide in lockstep.
PRoof. Theorem 4.3 shows that ifπ is backward complete for ππ . ππ, for every π β Ξ£, then it is backward complete for PreA1. Thus, by (26),π is forward complete for gPreA1. Then, it turns out thatπ is forward complete for π #Β»πΏ . # Β»π³2πΌ1β© gPreA1( #Β»πΏ), because:
π( # Β»π³2πΌ1β© gPreA1(π( #Β»πΏ))) = [by forward completeness for gPreA1andπ(πΏ2) = πΏ2] π(π( # Β»π³2πΌ1) β© π(gPreA1(π( #Β»πΏ)))) = [by (3)]
π( # Β»π³2πΌ1) β© π(gPreA1(π( #Β»πΏ))) = [by forward completeness for gPreA1andπ(πΏ2) = πΏ2] π³# Β»2πΌ1β© gPreA1(π( #Β»πΏ)) .
Since, by forward completeness, gfp(π #Β»πΏ . # Β»π³2πΌ1β© gPreA1( #Β»πΏ)) = gfp(π #Β»πΏ . π( # Β»π³2πΌ1β© gPreA1(π( #Β»πΏ)))), by equivalence (25), we conclude thatL(A1) β πΏ2iff #Β»ππΉ1 β gfp(π #Β»πΏ . π( # Β»π³2πΌ1β© gPreA1(π( #Β»πΏ)))).
Finally, we observe that the Kleene iterates ofπ #Β»πΏ . # Β»π³2πΌ1β©gPreA1( #Β»πΏ) and π #Β»πΏ . π( # Β»π³2πΌ1β©gPreA1(π( #Β»πΏ))) starting fromπΊ# Β»βcoincide in lockstep sinceπ( # Β»π³2πΌ1 β© gPreA1(π( #Β»πΏ))) = # Β»π³2πΌ1 β© gPreA1(π( #Β»πΏ)) and
π( # Β»π³2πΌ1) = # Β»π³2πΌ1. β‘
We can now establish that the iterates of Kleene(β, π #Β»πΏ . # Β»π³2πΌ1β© gPreA1( #Β»πΏ),πΊ# Β»β) are finitely many.
LetπΏ2=L(A2), for some FA A2, and consider the corresponding left state-based quasiorderβ€πA2 onΞ£β as defined by (16). By Lemma 5.8,β€πA2 is a leftπΏ2-consistent wqo. Furthermore, sinceπ2
is finite, we have that bothβ€πA
2 and (β€πA
2)β1 are wqos, so that, in turn, β¨πβ€π
A2(β(Ξ£β)), ββ© is a poset which is both ACC and DCC. In particular, the definition ofβ€πA
2 implies that every chain inβ¨πβ€π
A2(β(Ξ£β)), ββ© has at most 2|π2|elements, so that if we compute 2|π2| Kleene iterates then we surely converge to the greatest fixpoint. Moreover, as a consequence of the DCC property, we have that Kleene(β, π #Β»πΏ . πβ€A2( # Β»π³2πΌ1β© gPreA1(πβ€A2( #Β»πΏ))),πΊ# Β»β) always terminates, thus implying that Kleene(β, π #Β»πΏ . # Β»π³2πΌ1β© gPreA1( #Β»πΏ),πΊ# Β»β) terminates as well, because their iterates go in lockstep as stated by Theorem 8.3. We have therefore shown the correctness of FAIncGfp.
CoRollaRy 8.4. The algorithm FAIncGfp decides the inclusionL(A1) β πΏ2
Example 8.5. Let us illustrate the greatest fixpoint algorithm FAIncGfp on the inclusion check πΏ(B) β πΏ(A) where A is the FA in Fig. 1 and B is the following FA:
π3 π4
π
π π
By Corollary 8.4, the Kleene iterates ofπ #Β»π .π³(A)# Β»{π3} β© gPreB( #Β»π ) are guaranteed to converge in finitely many steps. We have that
# Β»
π³(A){π3}β© gPreB(β¨π3, π4β©) = β¨πΏ(A) β© πβ1π4, πβ1π3β© πβ1π4β© .
Then, the Kleene iterates are as follows (we automatically checked them by the FAdo tool [Almeida et al. 2009]):
π3(0)=Ξ£β π4(0)=Ξ£β
π3(1)=πΏ(A) β© πβ1Ξ£β=πΏ(A) π4(1)=πβ1Ξ£ββ© πβ1Ξ£β=Ξ£β
π3(2)=πΏ(A) β© πβ1Ξ£β=πΏ(A) π4(2)=πβ1πΏ(A) β© πβ1Ξ£β=πβ1πΏ(A) = (πβπ)+ π3(3)=πΏ(A) β© πβ1(πβπ)+ =πΏ(A) π4(3)=πβ1πΏ(A) β© πβ1(πβπ)+=(πβπ)+
Thus, Kleene outputs the vectorβ¨π3, π4β© = β¨πΏ(A), (πβπ)+β©. Since π β πΏ(A), FAIncGfp concludes
thatπΏ(B) β πΏ(A) holds. ^
Finally, it is worth citing that Fiedor et al. [2019] put forward an algorithm for deciding WS1S formulae which relies on the same lfp computation used in FAIncS. Then, they derive a dual gfp computation by relying on Parkβs duality [Park 1969]: lfp(ππ . π (π)) = (gfp(ππ . (π (ππ))π))π. Their approach differs from ours since we use the equivalence (24) to compute a gfp, different from the lfp, which still allows us to decide the inclusion problem. Furthermore, their algorithm decides whether a given automaton acceptsπ and it is not clear how their algorithm could be extended for deciding language inclusion.